mTLS + JWT authentication

Nilamadhaba_Rath · June 26, 2020, 11:25am

We are currently using JWT based end user authentication (Origin authentication). Now we are planning to use SSL certificate authentication via a whitelist of certificates allowed to connect end users (client). However, we want to have this in our Ingress Gateway.

Does istio ingress gateway has the support to handle both type of request.

if request has JWT token in header it should use the origin verification using the JWT issuer and provider config.
If request has the certificate then it validate the end user using the configured tls settings(serverCertificate, privateKey, caCertificates)

YangminZhu · July 10, 2020, 3:28am

if request has JWT token in header it should use the origin verification using the JWT issuer and provider config.

this can be done with AuthorizationPolicy on ingress gateway that allows the request if it has a valid JWT token.

If request has the certificate then it validate the end user using the configured tls settings(serverCertificate, privateKey, caCertificates)

This is not supported on ingress gateway for now. the authorization policy needs some update if you want to use it to enforce access control based on arbitrary fields in the x509 cert issued by non-istio CA.

Topic		Replies	Views
End User Auth for external use and MTLS for internal service-service communication? Security	17	2332	December 3, 2020
Jwt origin auth on ingress for some hosts but not for others Security	5	1333	December 22, 2020
RequestAuthentication: JWT validation fails when auth header contains "Bearer: null" Security	3	700	August 22, 2023
Jwt Authentication for a specific service results in "upstream connect error or disconnect/reset before headers" Security	8	3227	June 19, 2019
Adding JWT authorization to an ingress gateway Security	2	645	June 24, 2021

mTLS + JWT authentication

Related Topics